Complete Guide: Setting Up FortiGate Virtual Appliance on VMware ESXi

Introduction

FortiGate-VM brings enterprise-grade network security to your virtualized infrastructure. This comprehensive guide walks you through deploying a FortiGate virtual appliance on VMware ESXi, from initial download to full configuration.

FortiGate-VM delivers the same robust security features as physical FortiGate appliances, including next-generation firewall capabilities, VPN, intrusion prevention, web filtering, and anti-malware protection—all within your virtual environment.

YouTube ChannelFor Full video tutorial go to my Youtube Channel -

Follow me on TikTok- TikTok

Prerequisites

Before beginning the deployment, ensure you have:

System Requirements

VMware ESXi 6.5 or later installed on a physical server
vSphere Client or web interface access
Sufficient resources based on your FortiGate-VM model:
- Minimum (FG-VM00): 1 vCPU, 1GB RAM, 2GB storage
- Medium (FG-VM02): 2 vCPUs, 2GB RAM, 2GB storage
- Large (FG-VM08): 8 vCPUs, 8GB RAM, 2GB storage

Network Requirements

At least 2 network port groups configured on your ESXi host (for WAN and LAN interfaces)
Internet connectivity for FortiGate license validation
FortiManager (optional, for centralized management)

License Requirements

FortiGate-VM registration code (received via email upon purchase)
Support account on Fortinet Customer Service & Support portal

Special Configurations

If you plan to use:

Transparent mode: Virtual switches must support promiscuous mode
High Availability (HA): Configure virtual switches for HA heartbeat traffic

Step 1: Download the FortiGate-VM Deployment Package

1.1 Access the Fortinet Support Portal

Navigate to https://
support.fortinet.com
Log in with your Fortinet account credentials
If you don't have an account, click Sign Up to create one

1.2 Download the VM Image

From the navigation menu, select Download > VM Images
In the Select Product dropdown, choose FortiGate
In the Select Platform dropdown, choose VMware ESXi
Select the appropriate FortiOS version (7.6.0 recommended for latest features)
Download the deployment package (typically a .zip file containing multiple files)

1.3 Extract the Deployment Package

Extract the downloaded .zip file to a local folder. The package contains:

fortios.vmdk - System hard disk
datadrive.vmdk - Log disk
FortiGate-VM64.ovf - OVF template for ESXi 7.0+
FortiGate-VM64.hw13.ovf - Template for ESXi 6.5+
FortiGate-VM64.hw15.ovf - Template for ESXi 6.7+
README.txt - Compatibility information

Important: Choose the correct OVF template based on your ESXi version:

ESXi 7.0+ → Use FortiGate-VM64.ovf
ESXi 6.7 U2+ → Use FortiGate-VM64.hw15.ovf
ESXi 6.5+ → Use FortiGate-VM64.hw13.ovf

Step 2: Register and Obtain License

2.1 Register Your FortiGate-VM

Log in to https://
support.fortinet.com
Navigate to Asset > Register/Renew
Enter the registration code from your email
Click Register to access the registration form
Complete all required fields:
- Product Serial Number
- Company Information
- Contact Details
Submit the registration form

2.2 Download License File

After successful registration, you'll see a confirmation page
Click the License File Download link
Save the license file (.lic) to your local computer
Keep this file safe—you'll need it after deployment

Step 3: Deploy FortiGate-VM on ESXi

3.1 Access vSphere Client

Open your web browser
Navigate to your ESXi host IP address: https://[ESXi-IP]/ui
Log in with your ESXi root credentials

3.2 Deploy OVF Template

Method 1: Using vSphere Web Client

In the vSphere client, click Create/Register VM
Select Deploy a virtual machine from an OVF or OVA file
Click Next
Configure VM Details:
- Name: Enter a descriptive name (e.g., "FortiGate-Firewall-01")
- Select files: Click Browse or drag and drop:
  - FortiGate-VM64.ovf (or appropriate version)
  - fortios.vmdk
  - datadrive.vmdk
- Click Next
Select Storage:
- Choose the datastore where the VM will be stored
- Click Next
Deployment Options:
- Disk provisioning: Select based on your needs:
  - Thin Provision - Best for flexible storage (recommended for testing)
  - Thick Provision Lazy Zeroed - Good balance of performance and space
  - Thick Provision Eager Zeroed - Best performance (recommended for production)
- Network mappings: Map each network interface to appropriate port groups:
  - Network 1 (port1): Management/LAN network
  - Network 2 (port2): WAN network
  - Network 3-10: Additional interfaces as needed
- Click Next
Review Settings:
- Verify all deployment parameters
- Click Finish

The deployment process will begin. This may take 5-10 minutes depending on your storage speed.

3.3 Configure VM Hardware (Optional)

Before powering on, you may want to adjust hardware settings:

Right-click the FortiGate-VM in the inventory
Select Edit Settings
Adjust resources as needed:
- CPU: Increase if you expect high throughput
- Memory: Scale based on your license model
- Network Adapters: Add more interfaces if needed
Click Save

Step 4: Initial Console Configuration

4.1 Power On the VM

Right-click the FortiGate-VM
Select Power > Power On
Click on the VM thumbnail to open the console

4.2 Wait for Boot Completion

Watch the console as FortiGate boots. You'll see:

System initialization messages
Hardware detection
Network interface enumeration

When boot is complete, you'll see:

FortiGate-VM64 login:

4.3 Initial Login

Default credentials:

Username: admin
Password: (leave blank - press Enter)

FortiGate-VM64 login: admin
Password: [press Enter]

4.4 Change Admin Password

You'll be prompted to change the password immediately:

You are forced to change your password. Please input a new password.
New Password: [enter secure password]
Confirm Password: [re-enter password]

Password requirements:

Minimum 8 characters
Mix of uppercase, lowercase, numbers, and special characters recommended

Step 5: Configure Network Interfaces via CLI

5.1 Configure Management Interface (port1)

Set up port1 with a static IP for management access:

config system interface
    edit "port1"
        set mode static
        set ip 192.168.1.99 255.255.255.0
        set allowaccess ping https ssh http
        set alias "Management"
    next
end

Replace 192.168.1.99 with an IP address in your management network.

5.2 Configure WAN Interface (port2)

Configure port2 for internet connectivity:

config system interface
    edit "port2"
        set mode static
        set ip 10.0.0.99 255.255.255.0
        set allowaccess ping
        set alias "WAN"
    next
end

Adjust the IP address based on your WAN network configuration.

5.3 Configure LAN Interface (port3)

If you have additional interfaces for internal networks:

config system interface
    edit "port3"
        set mode static
        set ip 172.16.0.1 255.255.255.0
        set allowaccess ping https ssh
        set alias "LAN"
    next
end

5.4 Configure Default Gateway

Set up the default route pointing to your WAN gateway:

config router static
    edit 1
        set gateway 10.0.0.1
        set device "port2"
    next
end

Replace 10.0.0.1 with your actual WAN gateway IP.

5.5 Configure DNS Servers

config system dns
    set primary 8.8.8.8
    set secondary 8.8.4.4
end

5.6 Set Hostname and Timezone

config system global
    set hostname "FortiGate-FW01"
    set timezone 74
end

Note: Timezone 74 is GMT+12 (Auckland, NZ). Find your timezone number:

get system timezone

Step 6: Upload License File

6.1 Via GUI (Recommended)

Open your web browser
Navigate to https://192.168.1.99 (your port1 IP)
Accept the security certificate warning (self-signed certificate)
Log in with:
- Username: admin
- Password: [password you set earlier]
The License Upload page appears automatically
Click Browse or Choose File
Select the .lic file you downloaded earlier
Click Upload
Wait for license validation (requires internet connectivity)

6.2 Via CLI (Alternative)

If GUI access isn't available:

Upload the license file to the FortiGate using SCP/TFTP
Or paste the license content:

execute restore config ftp license.lic [FTP-Server-IP] [username]

Or directly via CLI:

execute restore vmlicense
[Paste license file content]
[Press Ctrl+D to finish]

Step 7: Basic GUI Configuration

7.1 Complete Setup Wizard

After license upload, the Setup Wizard launches:

Dashboard Setup
- Select widgets you want to display
- Click Next
Network Configuration
- Verify interface settings
- Click Next
System Time
- Confirm timezone
- Enable NTP: pool.ntp.org
- Click Next
Update Settings
- Enable automatic updates (recommended)
- Click Finish

7.2 Navigate the GUI

Key sections:

Dashboard: System overview and monitoring
Network: Interface and routing configuration
Policy & Objects: Firewall rules and objects
Security Profiles: IPS, antivirus, web filtering
User & Authentication: User accounts and SSO
System: Global settings and administration

Step 8: Configure Basic Firewall Policies

8.1 Create Address Objects

Go to Policy & Objects > Addresses
Click Create New > Address
Create objects for your networks:

LAN Network:

Name: LAN_Network
Type: Subnet
Subnet/IP Range: 172.16.0.0/24
Interface: port3

WAN Network:

Name: WAN_Network
Type: Subnet
Subnet/IP Range: 10.0.0.0/24
Interface: port2

8.2 Create LAN to WAN Policy

Go to Policy & Objects > Firewall Policy
Click Create New
Configure the policy:

Name: LAN-to-Internet
Incoming Interface: port3
Outgoing Interface: port2
Source: LAN_Network
Destination: all
Service: ALL
Schedule: always
Action: ACCEPT
NAT: Enable

Enable security profiles:
- Antivirus: default
- Web Filter: default
- IPS: default
- Application Control: default
Click OK

8.3 Create Management Access Policy

Allow management from LAN:

Name: LAN-to-Firewall
Incoming Interface: port3
Outgoing Interface: port1
Source: LAN_Network
Destination: port1 address
Service: HTTPS, SSH, PING
Action: ACCEPT

Step 9: Configure DHCP Server (Optional)

If FortiGate will provide DHCP for your LAN:

Go to Network > Interfaces
Select port3 (LAN interface)
Click Edit
Expand DHCP Server
Enable DHCP Server
Configure:
- Address Range: 172.16.0.100 - 172.16.0.200
- Netmask: 255.255.255.0
- Default Gateway: 172.16.0.1
- DNS Server: 172.16.0.1 (FortiGate acts as DNS forwarder)
Click OK

Step 10: Configure DNS and NTP

10.1 DNS Settings

Go to Network > DNS
Configure:
- DNS Servers: 8.8.8.8, 8.8.4.4
- DNS Database: Configure local DNS entries if needed
Click Apply

10.2 NTP Settings

Go to System > Settings
Scroll to System Time
Configure:
- Time Zone: Select your timezone
- NTP Server: pool.ntp.org
- Sync Interval: 60 minutes
Click Apply

Step 11: Enable FortiGuard Services

11.1 Verify FortiGuard Connectivity

Go to System > FortiGuard
Check connection status for:
- Antivirus
- IPS
- Web Filtering
- Application Control

All should show Connected status.

11.2 Update Signatures

Go to Dashboard
Locate FortiGuard widget
Click Update Now for each service:
- Antivirus Definitions
- IPS Signatures
- Application Database

Step 12: Configure VPN (Optional)

12.1 IPsec VPN Wizard

For site-to-site VPN:

Go to VPN > IPsec Wizard
Select Site to Site
Follow the wizard:
- Remote Device Type: FortiGate or other
- IP Address: Remote peer IP
- Pre-shared Key: Shared secret
- Local Interface: port2 (WAN)
- Local Subnet: Your LAN
- Remote Subnet: Remote LAN

12.2 SSL VPN Configuration

For remote access:

Go to VPN > SSL-VPN Settings
Enable SSL-VPN
Configure:
- Listen Interface: port2 (WAN)
- Port: 443
- IP Range: 10.212.134.200 - 10.212.134.254
Create portal and users in User & Authentication

Step 13: System Hardening and Best Practices

13.1 Create Admin Accounts

Don't use the default admin account:

Go to System > Administrators
Click Create New > Administrator
Configure:
- Username: Your name
- Password: Strong password
- Administrator Profile: super_admin
- PKI Group: Leave empty
- Two-factor Authentication: Enable (recommended)

13.2 Disable Unused Services

config system global
    set admin-sport 8443
    set admin-telnet disable
    set admin-lockout-threshold 5
    set admin-lockout-duration 300
end

13.3 Enable Logging

Go to Log & Report > Log Settings
Configure logging to:
- Memory: Enable
- FortiAnalyzer: If you have one
- Syslog: External syslog server

13.4 Configure SNMP (Optional)

For monitoring with SNMP:

config system snmp sysinfo
    set status enable
    set description "FortiGate Firewall"
    set contact-info "admin@company.com"
end

config system snmp community
    edit 1
        set name "public"
        set hosts 192.168.1.0 255.255.255.0
    next
end

Step 14: Backup Configuration

14.1 Create Configuration Backup

Go to System > Backup > Backup
Configure:
- Backup to: Local PC
- Encryption: Enable (recommended)
- Password: Strong password
Click OK
Save the backup file in a secure location

14.2 Schedule Automatic Backups

config system auto-script
    edit "daily-backup"
        set interval 86400
        set start auto
        set script "execute backup config ftp config-backup.conf [ftp-server] [username] [password]"
    next
end

Step 15: Testing and Verification

15.1 Test Internet Connectivity

From a device on your LAN:

ping 8.8.8.8
ping google.com

15.2 Test Firewall Rules

Go to Log & Report > Forward Traffic
Generate traffic from LAN to Internet
Verify logs appear with correct policy

15.3 Test Security Profiles

Visit test sites:

Antivirus: http://www.eicar.org/download/eicar.com
IPS: Attempt SQL injection or XSS
Web Filter: Try accessing blocked categories

15.4 Verify System Performance

Go to Dashboard
Monitor widgets:
- CPU Usage: Should be under 80%
- Memory Usage: Should be under 80%
- Session Count: Monitor concurrent sessions
- Bandwidth Usage: Check throughput

Common CLI Commands Reference

System Information

get system status                    # System status
get system performance status        # Performance metrics
diagnose hardware deviceinfo disk    # Disk information
get system interface physical        # Interface details

Network Troubleshooting

diagnose ip address list             # Show IP addresses
get router info routing-table all    # Show routing table
diagnose sniffer packet any          # Packet capture
execute ping [IP]                    # Ping test
execute traceroute [IP]              # Traceroute

Policy and Sessions

diagnose firewall policy list        # List policies
diagnose sys session list            # Active sessions
diagnose sys session filter src [IP] # Filter sessions
diagnose sys session clear           # Clear sessions

License and Updates

get system status | grep License     # Check license
execute update-now                   # Force update
diagnose autoupdate versions         # Check versions

Configuration Management

show                                 # Show running config
show | grep [keyword]                # Search config
execute backup config ftp [file] [server] [user] # Backup config
execute restore config ftp [file] [server] [user] # Restore config

Troubleshooting Common Issues

Issue 1: Cannot Access GUI

Symptoms: Unable to connect to FortiGate web interface

Solutions:

Verify IP configuration:
```
diagnose ip address list
```

Check if HTTPS is allowed:

config system interface    edit "port1"        set allowaccess https ping ssh    nextend

Clear browser cache or try different browser
Verify network connectivity with ping

Issue 2: No Internet Access

Symptoms: LAN clients cannot reach internet

Solutions:

Verify default route:
```
get router info routing-table all
```
Check NAT configuration in firewall policy
Verify DNS settings:
```
diagnose test application dnsproxy 6
```
Test from FortiGate itself:
```
execute ping 8.8.8.8
```

Issue 3: License Validation Failed

Symptoms: Cannot upload license or validation fails

Solutions:

Verify internet connectivity
Check FortiGuard connection:
```
diagnose debug rating
```
Manually sync with FortiGuard:
```
execute update-now
```
Verify license file integrity

Issue 4: High CPU Usage

Symptoms: System sluggish, high CPU utilization

Solutions:

Check CPU usage:
```
get system performance status
```
Disable unnecessary security profiles
Review session count:
```
diagnose sys session stat
```
Increase VM resources (vCPU, RAM)

Enable flow-based inspection:

config system settings    set inspection-mode flowend

Issue 5: Cannot See Virtual Machine in ESXi

Symptoms: FortiGate-VM doesn't appear after deployment

Solutions:

Verify OVF template compatibility with ESXi version
Check datastore has sufficient space
Review ESXi event logs for deployment errors
Try redeploying with different disk provisioning option

Performance Optimization Tips

1. Enable Offloading Features

config system global
    set tcp-option enable
    set gui-firmware-upgrade-warning disable
end

config system settings
    set inspection-mode flow
    set ngfw-mode policy-based
end

2. Tune Session Table

config system global
    set tcp-halfclose-timer 120
    set tcp-halfopen-timer 10
    set tcp-timewait-timer 1
end

3. Optimize Logging

Log only important events
Use FortiAnalyzer for log storage
Disable logging for non-critical policies

4. Use Policy Matching Optimization

Place most-used policies at the top
Consolidate similar policies
Use interface pairs where possible

Security Hardening Checklist

[ ] Change default admin password
[ ] Create separate admin accounts
[ ] Enable two-factor authentication
[ ] Disable unused network interfaces
[ ] Configure admin access restrictions (trusted hosts)
[ ] Enable HTTPS admin access only
[ ] Change default admin port (8443)
[ ] Enable login attempt limits
[ ] Configure scheduled backups
[ ] Enable FortiGuard services
[ ] Create restrictive firewall policies (deny-by-default)
[ ] Enable security profiles on all policies
[ ] Configure proper logging and monitoring
[ ] Keep FortiOS updated
[ ] Document all configurations

Maintenance Schedule

Daily Tasks

Monitor dashboard for anomalies
Review security logs
Check FortiGuard connection status

Weekly Tasks

Review firewall policy hit counts
Analyze top sources/destinations
Check system resource utilization
Update security signatures

Monthly Tasks

Review and update firewall policies
Audit administrator accounts
Test backup restoration
Update FortiOS if new version available
Generate and review security reports

Quarterly Tasks

Full security audit
Review and update security profiles
Capacity planning review
Disaster recovery drill

Additional Resources

Official Documentation

FortiGate VM Documentation: https://
docs.fortinet.com
VMware ESXi Documentation: https://
docs.vmware.com
FortiGate Cookbook: https://
cookbook.fortinet.com

Support Resources

Fortinet Support Portal: https://
support.fortinet.com
Fortinet Community: https://
community.fortinet.com
FortiGate Training: https://
training.fortinet.com

Useful Tools

FortiGate VM Sizing Tool
FortiConverter (for config migration)
FortiPlanner (for network planning)
FortiGate Cloud Portal

Conclusion

You now have a fully functional FortiGate virtual appliance running on VMware ESXi. This powerful security platform provides enterprise-grade protection for your virtual infrastructure.

Key takeaways:

FortiGate-VM offers the same security features as physical appliances
Proper network configuration is critical for security and performance
Regular updates and monitoring ensure optimal protection
Backup configurations regularly to prevent data loss

Next steps:

Explore advanced features like SD-WAN and Security Fabric
Integrate with FortiManager for centralized management
Configure SSL inspection for encrypted traffic
Implement advanced threat protection with sandboxing

Remember to keep your FortiGate updated, monitor logs regularly, and follow security best practices to maintain a robust security posture.